I have a confession to make: I’m not a whiz-bang, controversial, rock star security researcher (go ahead, GASP!). I’ve revealed a few bugs here and there, created some proofs-of-concept, but I’ve never dropped a crazy leet 0-day, had someone sick a legal team on me (yet), or dealt with miles and miles of red tape. I do, however, happen to know many fine folks that have been put through the ringer for disclosure, responsible or otherwise, and it sucks to see/hear/read about.
Lawsuits, gag orders, controversy…just some of the negative things I’ve witnessed my contemporaries and friends undergo after approaching a software vendor about some bug they uncovered. This type of reaction can be very discouraging for a security researcher, possibly resulting in them eschewing communication with the vendor in favor of disclosing it outright or selling the details on the black market.
Now, the “responsible disclosure” debate is one that’s been run dry; reconstituted; run over by a tank; re-assembled; annihilated by a nuclear bomb; and then somehow turned into a zombie mutant that just won’t die; so, with that in mind, I will spare you the usual rigmarole.
I think that it’s important to mention the EFF’s “Coders’ Rights Project Vulnerability Reporting FAQ“, as this is not only a great guide but also serves as somewhat of a basis for my proposal (also, I’ve got a huge crush on the EFF). I’ll give you a moment to go ahead and peruse the aforementioned FAQ. *waits patiently* Okay, let’s move on.
Note the last section in the EFF vuln. reporting FAQ. It summarizes the points that a researcher should consider when embarking on the potentially perilous journey that is vulnerability disclosure. I’d venture to guess that I’m not alone in saying that these points are essential, but it would be naive to think that following them to a ‘T’ will result in a happy, grateful vendor. While vendors and researchers alike have made great strides in strengthening their relationships, many (on both sides) remain opposed to any semblance of responsible disclosure (for various reasons).
After all that, on to my point: I would like to propose the creation of a site that lets security researchers share their experience(s) when going through the vulnerability disclosure process with particular vendors. This would allow other researchers to get a sense of how certain vendors might react, the timelines they might deal with, and other points involved in the disclosure process. While this type of discussion already happens on mailing lists and disparate forums, I know of no central location for this info.
Of course, this isn’t without its challenges. Just to cite a few:
1. Authenticity of a researcher’s claim about their experience. How do we verify that a researcher’s interaction with a given vendor is legitimate?
2. Utility and attractiveness (not aesthetically speaking) of the site. How do we get people to want to use this without having it become just another outlet for frustrated researchers? They should want others to benefit from their experiences, and hopefully avoid the same pitfalls or tribulations.
3. The “(Security) Assassination Market.” How do we minimize any negative influence this site may have (e.g. researchers going after soft targets because of good/bad experiences)?
I’m going to cut it right there and see who bites and who bitches (plus, I’m tired). 😉
UPDATE (2009-07-17 08:50): After a few responses from people (off the blog), I realized I failed to list the challenge of protecting the identity of whomever posts a story to the site. Naturally, this is something that would need to be balanced against the authenticity piece.
(CC licensed image from twenty_questions)